this post was submitted on 15 Jul 2026
250 points (98.4% liked)

Technology

86401 readers
2808 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots


founded 3 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] orclev@lemmy.world 19 points 2 days ago (2 children)

The way it should work is that during the OS install the OS can ask to have a cert added to the keystore at which point UEFI pops up a screen that says something like:

An application has requested to add a new certificate to secure boot which will allow new software to run at boot up. This usually happens when installing or updating an OS. If you would like to allow this press and hold <5 randomly selected letters> on the keyboard for 5 seconds. If you don't want to allow this press and hold escape for 3 seconds.

This would at least be a vendor agnostic way of enrolling certificates instead of the MS certificate just always being pre-installed. It should also of course be publicly documented exactly how the process works so everyone can use it.

[–] addie@feddit.uk 8 points 2 days ago (3 children)

Problem being, of course, that you can add more certificates, but you can't revoke the original M$ one. And since it's vulnerable and you can't get rid, then these exploits still work and there's nothing you can do to stop it.

[–] cmhe@lemmy.world 2 points 11 hours ago

On some systems you can clear all secure boot keys, including Microsoft's, then provision your own and sign your bootloader or kernel with it. Windows cannot boot from such systems.

[–] defaultusername@lemmy.dbzer0.com 15 points 2 days ago* (last edited 2 days ago)

Computers shouldn't come with Microsoft keys preinstalled to begin with (or an operating system for that matter). Microsoft being able to have Windows preinstalled on the vast majority of non-Apple PCs is how they gained their monopoly in the first place.

[–] orclev@lemmy.world 3 points 2 days ago

You should be able to remove any or all the certs as well, although I could see an argument for requiring you to enter the BIOS to do that.

[–] exu@feditown.com 4 points 2 days ago (1 children)

Universal Blue distros do that. For some reason you need to enter a password though.

[–] cmhe@lemmy.world 1 points 11 hours ago* (last edited 11 hours ago)

This is the MOK (Machine Owner Key), which is part of the shim bootloader, not UEFI secure boot.

The shim bootloader is signed by Microsoft UEFI secure boot keys, so Microsoft is the root of trust there.

On some systems you can delete all Secure Boot keys, and provision your own, then you don't need the shim bootloader and can sign your own bootloader or Linux kernel directly. Windows would not be able to boot on those systems.